From a7a3a94d289124e143548e8ad44193a3bd4fd83c Mon Sep 17 00:00:00 2001 From: Susan Hinrichs Date: Thu, 29 Nov 2018 16:08:05 +0000 Subject: [PATCH] Add back in the option to conf_remap the verify_server settings. --- doc/admin-guide/files/records.config.en.rst | 8 +- include/ts/apidefs.h.in | 3 + iocore/net/P_SSLSNI.h | 6 +- iocore/net/SSLNetVConnection.cc | 22 ++- iocore/net/YamlSNIConfig.h | 8 +- plugins/lua/ts_lua_http_config.c | 6 + proxy/http/HttpConfig.h | 4 + proxy/http/HttpSM.cc | 42 ++++ src/traffic_server/InkAPI.cc | 23 ++- src/traffic_server/InkAPITest.cc | 5 +- .../tls/tls_verify_override.test.py | 185 ++++++++++++++++++ 11 files changed, 297 insertions(+), 15 deletions(-) create mode 100644 tests/gold_tests/tls/tls_verify_override.test.py diff --git a/doc/admin-guide/files/records.config.en.rst b/doc/admin-guide/files/records.config.en.rst index 52ee8fcb5b0..249bd25c439 100644 --- a/doc/admin-guide/files/records.config.en.rst +++ b/doc/admin-guide/files/records.config.en.rst @@ -3455,11 +3455,14 @@ Client-Related Configuration .. ts:cv:: CONFIG proxy.config.ssl.client.verify.server.policy STRING DISABLED :reloadable: + :overridable: Configures |TS| to verify the origin server certificate with the Certificate Authority (CA). This configuration takes a value of :code:`DISABLED`, :code:`PERMISSIVE`, or :code:`ENFORCED` - You can override this global setting on a per domain basis in the ssl_servername.yaml file using the :ref:`verify_server_policy attribute`. + You can override this global setting on a per domain basis in the ssl_server_name.yaml file using the :ref:`verify_server_policy attribute`. + + You can also override via the conf_remap plugin. Those changes will take precedence over the changes in ssl_server_name.yaml. :code:`DISABLED` Server Certificate will not be verified @@ -3470,11 +3473,14 @@ Client-Related Configuration .. ts:cv:: CONFIG proxy.config.ssl.client.verify.server.properties STRING ALL :reloadable: + :overridable: Configures |TS| for what the default verify callback should check during origin server verification. You can override this global setting on a per domain basis in the ssl_servername.yaml file using the :ref:`verify_server_properties attribute`. + You can also override via the conf_remap plugin. Those changes will take precedence over the changes in ssl_server_name.yaml. + :code:`NONE` Check nothing in the standard callback. Rely entirely on plugins to check the certificate. :code:`SIGNATURE` diff --git a/include/ts/apidefs.h.in b/include/ts/apidefs.h.in index b8ab9629187..6c042653d40 100644 --- a/include/ts/apidefs.h.in +++ b/include/ts/apidefs.h.in @@ -782,6 +782,9 @@ typedef enum { TS_CONFIG_HTTP_ALLOW_HALF_OPEN, TS_CONFIG_HTTP_PER_SERVER_CONNECTION_MAX, TS_CONFIG_HTTP_PER_SERVER_CONNECTION_MATCH, + TS_CONFIG_SSL_CLIENT_VERIFY_SERVER, + TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY, + TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES, TS_CONFIG_LAST_ENTRY } TSOverridableConfigKey; diff --git a/iocore/net/P_SSLSNI.h b/iocore/net/P_SSLSNI.h index 15580ff05ff..a1d75045417 100644 --- a/iocore/net/P_SSLSNI.h +++ b/iocore/net/P_SSLSNI.h @@ -42,9 +42,9 @@ // Properties for the next hop server struct NextHopProperty { - std::string name; // name of the server - YamlSNIConfig::Policy verifyServerPolicy = YamlSNIConfig::Policy::DISABLED; // whether to verify the next hop - YamlSNIConfig::Property verifyServerProperties = YamlSNIConfig::Property::NONE; // what to verify on the next hop + std::string name; // name of the server + YamlSNIConfig::Policy verifyServerPolicy = YamlSNIConfig::Policy::UNSET; // whether to verify the next hop + YamlSNIConfig::Property verifyServerProperties = YamlSNIConfig::Property::UNSET; // what to verify on the next hop SSL_CTX *ctx = nullptr; // ctx generated off the certificate to present to this server NextHopProperty(); }; diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc index 71e1b085162..96221d49696 100644 --- a/iocore/net/SSLNetVConnection.cc +++ b/iocore/net/SSLNetVConnection.cc @@ -971,15 +971,27 @@ SSLNetVConnection::sslStartHandShake(int event, int &err) SSL_CTX *clientCTX = nullptr; if (nps) { - clientCTX = nps->ctx; - options.verifyServerPolicy = nps->verifyServerPolicy; - options.verifyServerProperties = nps->verifyServerProperties; + clientCTX = nps->ctx; + } else { // Just stay with the values passed down from the SM for verify + clientCTX = params->client_ctx; + } + if (options.verifyServerPolicy != YamlSNIConfig::Policy::UNSET) { + // Stay with conf-override version as the highest priority + } else if (nps && nps->verifyServerPolicy != YamlSNIConfig::Policy::UNSET) { + options.verifyServerPolicy = nps->verifyServerPolicy; + } else { + options.verifyServerPolicy = params->verifyServerPolicy; + } + + if (options.verifyServerProperties != YamlSNIConfig::Property::UNSET) { + // Stay with conf-override version as the highest priority + } else if (nps && nps->verifyServerProperties != YamlSNIConfig::Property::UNSET) { + options.verifyServerProperties = nps->verifyServerProperties; } else { - clientCTX = params->client_ctx; - options.verifyServerPolicy = params->verifyServerPolicy; options.verifyServerProperties = params->verifyServerProperties; } + if (!clientCTX) { SSLErrorVC(this, "failed to create SSL client session"); return EVENT_ERROR; diff --git a/iocore/net/YamlSNIConfig.h b/iocore/net/YamlSNIConfig.h index 8926c29bdc2..0acf4f21f21 100644 --- a/iocore/net/YamlSNIConfig.h +++ b/iocore/net/YamlSNIConfig.h @@ -52,8 +52,8 @@ struct YamlSNIConfig { client_cert }; enum class Level { NONE = 0, MODERATE, STRICT }; - enum class Policy : uint8_t { DISABLED = 0, PERMISSIVE, ENFORCED }; - enum class Property : uint8_t { NONE = 0, SIGNATURE_MASK = 0x1, NAME_MASK = 0x2, ALL_MASK = 0x3 }; + enum class Policy : uint8_t { DISABLED = 0, PERMISSIVE, ENFORCED, UNSET }; + enum class Property : uint8_t { NONE = 0, SIGNATURE_MASK = 0x1, NAME_MASK = 0x2, ALL_MASK = 0x3, UNSET }; YamlSNIConfig() {} @@ -63,8 +63,8 @@ struct YamlSNIConfig { uint8_t verify_client_level = 255; std::string tunnel_destination; bool tunnel_decrypt = false; - Policy verify_server_policy = Policy::DISABLED; - Property verify_server_properties = Property::NONE; + Policy verify_server_policy = Policy::UNSET; + Property verify_server_properties = Property::UNSET; std::string client_cert; std::string client_key; std::string ip_allow; diff --git a/plugins/lua/ts_lua_http_config.c b/plugins/lua/ts_lua_http_config.c index d7f25c61e3e..b7c63ea9219 100644 --- a/plugins/lua/ts_lua_http_config.c +++ b/plugins/lua/ts_lua_http_config.c @@ -134,6 +134,9 @@ typedef enum { TS_LUA_CONFIG_HTTP_ALLOW_MULTI_RANGE = TS_CONFIG_HTTP_ALLOW_MULTI_RANGE, TS_LUA_CONFIG_HTTP_REQUEST_BUFFER_ENABLED = TS_CONFIG_HTTP_REQUEST_BUFFER_ENABLED, TS_LUA_CONFIG_HTTP_ALLOW_HALF_OPEN = TS_CONFIG_HTTP_ALLOW_HALF_OPEN, + TS_LUA_CONFIG_SSL_CLIENT_VERIFY_SERVER = TS_CONFIG_SSL_CLIENT_VERIFY_SERVER, + TS_LUA_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY = TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY, + TS_LUA_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES = TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES, TS_LUA_CONFIG_LAST_ENTRY = TS_CONFIG_LAST_ENTRY, } TSLuaOverridableConfigKey; @@ -258,6 +261,9 @@ ts_lua_var_item ts_lua_http_config_vars[] = { TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_HTTP_ALLOW_MULTI_RANGE), TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_HTTP_REQUEST_BUFFER_ENABLED), TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_HTTP_ALLOW_HALF_OPEN), + TS_LUA_MAKE_VAR_ITEM(TS_CONFIG_SSL_CLIENT_VERIFY_SERVER), + TS_LUA_MAKE_VAR_ITEM(TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY), + TS_LUA_MAKE_VAR_ITEM(TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES), TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_HTTP_PER_SERVER_CONNECTION_MAX), TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_HTTP_PER_SERVER_CONNECTION_MATCH), TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_LAST_ENTRY), diff --git a/proxy/http/HttpConfig.h b/proxy/http/HttpConfig.h index fd61d074243..41d5e819324 100644 --- a/proxy/http/HttpConfig.h +++ b/proxy/http/HttpConfig.h @@ -492,6 +492,8 @@ struct OverridableHttpConfigParams { request_buffer_enabled(0), allow_half_open(1), ssl_client_verify_server(0), + ssl_client_verify_server_policy(nullptr), + ssl_client_verify_server_properties(nullptr), redirect_use_orig_cache_key(0), number_of_redirections(0), proxy_response_hsts_max_age(-1), @@ -677,6 +679,8 @@ struct OverridableHttpConfigParams { // server verification mode// ///////////////////////////// MgmtByte ssl_client_verify_server; + char *ssl_client_verify_server_policy; + char *ssl_client_verify_server_properties; ////////////////// // Redirection // diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc index 514e9f9d814..d788812dc00 100644 --- a/proxy/http/HttpSM.cc +++ b/proxy/http/HttpSM.cc @@ -4671,6 +4671,46 @@ HttpSM::send_origin_throttled_response() call_transact_and_set_next_state(HttpTransact::HandleResponse); } +static void +set_tls_options(NetVCOptions &opt, OverridableHttpConfigParams *txn_conf) +{ + char *verify_server = nullptr; + if (txn_conf->ssl_client_verify_server_policy == nullptr) { + opt.verifyServerPolicy = YamlSNIConfig::Policy::UNSET; + } else { + verify_server = txn_conf->ssl_client_verify_server_policy; + if (strcmp(verify_server, "DISABLED") == 0) { + opt.verifyServerPolicy = YamlSNIConfig::Policy::DISABLED; + } else if (strcmp(verify_server, "PERMISSIVE") == 0) { + opt.verifyServerPolicy = YamlSNIConfig::Policy::PERMISSIVE; + } else if (strcmp(verify_server, "ENFORCED") == 0) { + opt.verifyServerPolicy = YamlSNIConfig::Policy::ENFORCED; + } else { + Warning("%s is invalid for proxy.config.ssl.client.verify.server.policy. Should be one of DISABLED, PERMISSIVE, or ENFORCED", + verify_server); + opt.verifyServerPolicy = YamlSNIConfig::Policy::UNSET; + } + } + if (txn_conf->ssl_client_verify_server_properties == nullptr) { + opt.verifyServerProperties = YamlSNIConfig::Property::UNSET; + } else { + verify_server = txn_conf->ssl_client_verify_server_properties; + if (strcmp(verify_server, "SIGNATURE") == 0) { + opt.verifyServerProperties = YamlSNIConfig::Property::SIGNATURE_MASK; + } else if (strcmp(verify_server, "NAME") == 0) { + opt.verifyServerProperties = YamlSNIConfig::Property::NAME_MASK; + } else if (strcmp(verify_server, "ALL") == 0) { + opt.verifyServerProperties = YamlSNIConfig::Property::ALL_MASK; + } else if (strcmp(verify_server, "NONE") == 0) { + opt.verifyServerProperties = YamlSNIConfig::Property::NONE; + } else { + Warning("%s is invalid for proxy.config.ssl.client.verify.server.properties. Should be one of SIGNATURE, NAME, or ALL", + verify_server); + opt.verifyServerProperties = YamlSNIConfig::Property::NONE; + } + } +} + ////////////////////////////////////////////////////////////////////////// // // HttpSM::do_http_server_open() @@ -4959,6 +4999,8 @@ HttpSM::do_http_server_open(bool raw) t_state.txn_conf->sock_option_flag_out, t_state.txn_conf->sock_packet_mark_out, t_state.txn_conf->sock_packet_tos_out); + set_tls_options(opt, t_state.txn_conf); + opt.ip_family = ip_family; if (ua_txn) { diff --git a/src/traffic_server/InkAPI.cc b/src/traffic_server/InkAPI.cc index 810435a7183..7b17eb05ea9 100644 --- a/src/traffic_server/InkAPI.cc +++ b/src/traffic_server/InkAPI.cc @@ -8204,6 +8204,13 @@ _conf_to_memberp(TSOverridableConfigKey conf, OverridableHttpConfigParams *overr case TS_CONFIG_SSL_CERT_FILEPATH: ret = _memberp_to_generic(&overridableHttpConfig->client_cert_filepath, conv); break; + case TS_CONFIG_SSL_CLIENT_VERIFY_SERVER: + ret = _memberp_to_generic(&overridableHttpConfig->ssl_client_verify_server, conv); + break; + case TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY: + case TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES: + // String, must be handled elsewhere + break; case TS_CONFIG_PARENT_FAILURES_UPDATE_HOSTDB: ret = _memberp_to_generic(&overridableHttpConfig->parent_failures_update_hostdb, conv); break; @@ -8408,6 +8415,16 @@ TSHttpTxnConfigStringSet(TSHttpTxn txnp, TSOverridableConfigKey conf, const char } } break; + case TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY: + if (value && length > 0) { + s->t_state.txn_conf->ssl_client_verify_server_policy = const_cast(value); + } + break; + case TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES: + if (value && length > 0) { + s->t_state.txn_conf->ssl_client_verify_server_properties = const_cast(value); + } + break; default: { MgmtConverter const *conv; void *dest = _conf_to_memberp(conf, s->t_state.txn_conf, conv); @@ -8594,7 +8611,11 @@ static const std::unordered_map SDK_Overridable_Configs = { "proxy.config.http.request_buffer_enabled", "proxy.config.http.allow_half_open", OutboundConnTrack::CONFIG_VAR_MAX, - OutboundConnTrack::CONFIG_VAR_MATCH}}; + OutboundConnTrack::CONFIG_VAR_MATCH, + "proxy.config.ssl.client.verify.server", + "proxy.config.ssl.client.verify.server.policy", + "proxy.config.ssl.client.verify.server.properties"}}; REGRESSION_TEST(SDK_API_OVERRIDABLE_CONFIGS)(RegressionTest *test, int /* atype ATS_UNUSED */, int *pstatus) { diff --git a/tests/gold_tests/tls/tls_verify_override.test.py b/tests/gold_tests/tls/tls_verify_override.test.py new file mode 100644 index 00000000000..6afbfd52063 --- /dev/null +++ b/tests/gold_tests/tls/tls_verify_override.test.py @@ -0,0 +1,185 @@ +''' +''' +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import os +Test.Summary = ''' +Test tls server certificate verification options. Exercise conf_remap +''' + +# need Curl +Test.SkipUnless( + Condition.HasProgram("curl", "Curl need to be installed on system for this test to work") +) + +# Define default ATS +ts = Test.MakeATSProcess("ts", select_ports=False) +server_foo = Test.MakeOriginServer("server_foo", ssl=True, options = {"--key": "{0}/signed-foo.key".format(Test.RunDirectory), "--cert": "{0}/signed-foo.pem".format(Test.RunDirectory)}) +server_bar = Test.MakeOriginServer("server_bar", ssl=True, options = {"--key": "{0}/signed-bar.key".format(Test.RunDirectory), "--cert": "{0}/signed-bar.pem".format(Test.RunDirectory)}) +server = Test.MakeOriginServer("server", ssl=True) + +request_foo_header = {"headers": "GET / HTTP/1.1\r\nHost: foo.com\r\n\r\n", "timestamp": "1469733493.993", "body": ""} +request_bad_foo_header = {"headers": "GET / HTTP/1.1\r\nHost: bad_foo.com\r\n\r\n", "timestamp": "1469733493.993", "body": ""} +request_bar_header = {"headers": "GET / HTTP/1.1\r\nHost: bar.com\r\n\r\n", "timestamp": "1469733493.993", "body": ""} +request_bad_bar_header = {"headers": "GET / HTTP/1.1\r\nHost: bad_bar.com\r\n\r\n", "timestamp": "1469733493.993", "body": ""} +response_header = {"headers": "HTTP/1.1 200 OK\r\nConnection: close\r\n\r\n", "timestamp": "1469733493.993", "body": ""} +server_foo.addResponse("sessionlog.json", request_foo_header, response_header) +server_foo.addResponse("sessionlog.json", request_bad_foo_header, response_header) +server_bar.addResponse("sessionlog.json", request_bar_header, response_header) +server_bar.addResponse("sessionlog.json", request_bad_bar_header, response_header) + +# add ssl materials like key, certificates for the server +ts.addSSLfile("ssl/signed-foo.pem") +ts.addSSLfile("ssl/signed-foo.key") +ts.addSSLfile("ssl/signed-bar.pem") +ts.addSSLfile("ssl/signed-bar.key") +ts.addSSLfile("ssl/server.pem") +ts.addSSLfile("ssl/server.key") +ts.addSSLfile("ssl/signer.pem") +ts.addSSLfile("ssl/signer.key") + +ts.Variables.ssl_port = 4443 +ts.Disk.remap_config.AddLine( + 'map http://foo.com/basic https://127.0.0.1:{0}'.format(server_foo.Variables.Port)) +ts.Disk.remap_config.AddLine( + 'map http://foo.com/override https://127.0.0.1:{0} @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.policy=ENFORCED'.format(server_foo.Variables.Port)) +ts.Disk.remap_config.AddLine( + 'map http://bar.com/basic https://127.0.0.1:{0}'.format(server_foo.Variables.Port)) +ts.Disk.remap_config.AddLine( + 'map http://bar.com/overridedisabled https://127.0.0.1:{0} @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.policy=DISABLED'.format(server_foo.Variables.Port)) +ts.Disk.remap_config.AddLine( + 'map http://bar.com/overridesignature https://127.0.0.1:{0} @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.properties=SIGNATURE @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.policy=ENFORCED'.format(server_foo.Variables.Port)) +ts.Disk.remap_config.AddLine( + 'map http://bar.com/overrideenforced https://127.0.0.1:{0} @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.policy=ENFORCED'.format(server_foo.Variables.Port)) +ts.Disk.remap_config.AddLine( + 'map /basic https://127.0.0.1:{0}'.format(server.Variables.Port)) +ts.Disk.remap_config.AddLine( + 'map /overrideenforce https://127.0.0.1:{0} @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.policy=ENFORCED'.format(server.Variables.Port)) +ts.Disk.remap_config.AddLine( + 'map /overridename https://127.0.0.1:{0} @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.properties=NAME'.format(server.Variables.Port)) + +ts.Disk.ssl_multicert_config.AddLine( + 'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key' +) + +# Case 1, global config policy=permissive properties=signature +# override for foo.com policy=enforced properties=all +ts.Disk.records_config.update({ + 'proxy.config.diags.debug.enabled': 1, + 'proxy.config.diags.debug.tags': 'http|ssl', + 'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir), + 'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir), + # enable ssl port + 'proxy.config.http.server_ports': '{0} {1}:proto=http2;http:ssl'.format(ts.Variables.port, ts.Variables.ssl_port), + 'proxy.config.ssl.server.cipher_suite': 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2', + # set global policy + 'proxy.config.ssl.client.verify.server.policy': 'PERMISSIVE', + 'proxy.config.ssl.client.verify.server.properties': 'ALL', + 'proxy.config.ssl.client.CA.cert.path': '{0}'.format(ts.Variables.SSLDir), + 'proxy.config.ssl.client.CA.cert.filename': 'signer.pem', + 'proxy.config.url_remap.pristine_host_hdr': 1 +}) + +# Should succeed without message +tr = Test.AddTestRun("default-permissive-success") +tr.Setup.Copy("ssl/signed-foo.key") +tr.Setup.Copy("ssl/signed-foo.pem") +tr.Setup.Copy("ssl/signed-bar.key") +tr.Setup.Copy("ssl/signed-bar.pem") +tr.Processes.Default.Command = 'curl -k -H \"host: foo.com\" http://127.0.0.1:{0}/basic'.format(ts.Variables.port) +tr.ReturnCode = 0 +tr.Processes.Default.StartBefore(server_foo) +tr.Processes.Default.StartBefore(server_bar) +tr.Processes.Default.StartBefore(server) +tr.Processes.Default.StartBefore(Test.Processes.ts, ready=When.PortOpen(ts.Variables.port)) +tr.StillRunningAfter = server +tr.StillRunningAfter = ts +tr.Processes.Default.TimeOut = 5 +# Should succed. No message +tr.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could Not Connect", "Curl attempt should have succeeded") +tr.TimeOut = 5 + +tr2 = Test.AddTestRun("default-permissive-fail") +tr2.Processes.Default.Command = "curl -k -H \"host: bar.com\" http://127.0.0.1:{0}/basic".format(ts.Variables.port) +tr2.ReturnCode = 0 +tr2.StillRunningAfter = server +tr2.Processes.Default.TimeOut = 5 +tr2.StillRunningAfter = ts +# Should succeed, but will be message in log about name mismatch +tr2.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could Not Connect", "Curl attempt should have succeeded") +tr2.TimeOut = 5 + +tr2 = Test.AddTestRun("default-permissive-fail2") +tr2.Processes.Default.Command = "curl -k -H \"host: random.com\" http://127.0.0.1:{0}/basic".format(ts.Variables.port) +tr2.ReturnCode = 0 +tr2.StillRunningAfter = server +tr2.Processes.Default.TimeOut = 5 +tr2.StillRunningAfter = ts +# Should succeed, but will be message in log about signature +tr2.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could Not Connect", "Curl attempt should have succeeded") +tr2.TimeOut = 5 + +tr3 = Test.AddTestRun("override-foo") +tr3.Processes.Default.Command = "curl -k -H \"host: foo.com\" http://127.0.0.1:{0}/override".format(ts.Variables.port) +tr3.ReturnCode = 0 +tr3.StillRunningAfter = server +tr3.StillRunningAfter = ts +# Should succeed. No error messages +tr3.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could Not Connect", "Curl attempt should have succeeded") +tr3.Processes.Default.TimeOut = 5 + +tr4 = Test.AddTestRun("override-bar-disabled") +tr4.Processes.Default.Command = "curl -k -H \"host: bad_bar.com\" http://127.0.0.1:{0}/overridedisabled".format(ts.Variables.port) +tr4.ReturnCode = 0 +tr4.StillRunningAfter = server +tr4.StillRunningAfter = ts +# Succeed. No error messages +tr4.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could Not Connect", "Curl attempt should have succeeded") +tr4.Processes.Default.TimeOut = 5 + +tr5 = Test.AddTestRun("override-bar-signature-enforced") +tr5.Processes.Default.Command = "curl -k -H \"host: bar.com\" http://127.0.0.1:{0}/overridesignature".format(ts.Variables.port) +tr5.ReturnCode = 0 +tr5.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could Not Connect", "Curl attempt should have succeeded") +tr5.StillRunningAfter = server +tr5.StillRunningAfter = ts +tr5.Processes.Default.TimeOut = 5 + +tr6 = Test.AddTestRun("override-bar-enforced") +tr6.Processes.Default.Command = "curl -k -H \"host: bar.com\" http://127.0.0.1:{0}/overrideenforced".format(ts.Variables.port) +tr6.ReturnCode = 0 +# Should fail +tr6.Processes.Default.Streams.stdout = Testers.ContainsExpression("Could Not Connect", "Curl attempt should have failed") +tr6.StillRunningAfter = server +tr6.StillRunningAfter = ts +tr6.Processes.Default.TimeOut = 5 + + +# Over riding the built in ERROR check since we expect some cases to fail + +# checks on random.com should fail with message only +ts.Disk.diags_log.Content = Testers.ContainsExpression("WARNING: Core server certificate verification failed for \(random.com\). Action=Continue Error=self signed certificate server=127.0.0.1\(127.0.0.1\) depth=0", "Warning for self signed certificate") +# No complaints about foo +ts.Disk.diags_log.Content += Testers.ExcludesExpression("WARNING: SNI \(foo.com\) not in certificate", "foo.com name requests are good") +# permissive failure for bar.com +ts.Disk.diags_log.Content += Testers.ContainsExpression("WARNING: SNI \(bar.com\) not in certificate. Action=Continue server=127.0.0.1\(127.0.0.1\)", "Warning on missing name for bar.com") +# name check failure for random.com +ts.Disk.diags_log.Content += Testers.ContainsExpression("WARNING: SNI \(random.com\) not in certificate. Action=Continue server=127.0.0.1\(127.0.0.1\)", "Warning on missing name for randome.com") +# name check failure for bar.com +ts.Disk.diags_log.Content += Testers.ContainsExpression("WARNING: SNI \(bar.com\) not in certificate. Action=Terminate server=127.0.0.1\(127.0.0.1\)", "Failure on missing name for bar.com") + +